Maximal Data, Minimal Disclosure

Posted on: December 11, 2014 by Aljosa Pasic

Millions of Europeans have currently eID card issued by the government, which theoretically enables age verification in a privacy aware manner, without revealing exact birthday or the other attributes such as name or address. eID owner, however, has to trust that the “age verification” agent, or service operator, actually complies with data protection and privacy legislation. There are also solutions belonging to so called privacy enhancing/preserving technologies, such as minimal disclosure tokens, crypto mechanisms to perform data minimization on access control data. The new generation of eID cards, such as the German nPA, is using this type of technology to produce “over 18” attribute right on the card. Service provider will only obtain access rights to a binary inquiry function for exactly this purpose (age verification). Minimal disclosure tokens are sometimes also referred as anonymity credentials or privacy-enhancing attribute-based credentials, and there are already open source implementations of this solution.

There are many emerging cyber-physical access control scenarios that will presumably be integrated in “smart-everything”. Unlocking “Smart rent-a-car” at the airport with your eID, previously used in an online reservation, will save you some waiting time. Automated border controls are also becoming kind of cyber-physical access control solutions widely accepted by passengers at different airports worldwide.

Once you actually think about them, identity attributes are everywhere. Public administration registries, online profiles at service providers, mobile device context data etc. Physical geo-location, for example, is an attribute easy to get and easy to use, increasingly as the fourth “where you are” factor in multi-factor authentication. The QR code presented near the login prompt is also proposed as a solution, in so called “squirrel” systems.

So, what is the next big (data) thing?

The 20th century bouncer at the door of a disco club had to make really dynamic access control decisions, based on the age verification, but also reputation (blacklist of violent visitors, usually stored in his head) and the subjective verification of sobriety state at the moment of access. This is where Big Data (BD) enabled ABAC might come into the picture. It could deliver attributes on person’s reputation, recommendations or even the actual conditions, and could convert this doorman into “Smart Bouncer” of the 21st century. Is this getting too scary?

Similar to the public cloud provision models, the “disco clouds” usually do not know in advance who their users are. Emerging cloud services put personalization and contextualization high on the priority list, so the fine grain access control is a must. Again, the same thing in cyber-physical world, where imaginary “disco cloud” has several personalized areas and configurable payment schemes. A step further is “Smart Stadium” scenario. In 2010, there was already a pilot with the Belgian electronic identity card (eID) and a service of the online purchase of football tickets. The users had the option 'save the ticket on your eID', actually a link to an electronic ticket created in the database. Attributes similar to “disco cloud” could be also used here, in addition to “local” and “visitor” attributes, verified in order to separate supporters.

Is this multi-factor, attribute-savvy, BD-enabled ABAC, actually leading towards “maximal” disclosure, as opposed to the whole principle of “minimal disclosure token”? Big Data Value public-private partnership, or the project PRIPARE (PReparing Industry to Privacy-by-design by supporting its Application in Research), among other initiatives, are addressing this discussion.

Share this blog article

About Aljosa Pasic

ALJOSA PASIC current position is Technology Transfer Director in Atos Research & Innovation (ARI), based in Madrid, Spain. He graduated Information Technology at Electro technical Faculty of Technical University Eindhoven, The Netherlands, and has been working for Cap Gemini (Utrecht, The Netherlands) until the end of 1998. In 1999 he moved to Sema Group (now part of Atos) where he occupied different managerial positions. During this period he was participating in more than 50 international research, innovation or consulting projects, mainly related to the areas of information security or e-government. He is member of EOS (European Organisation for Security) Board of Directors, and collaborates regularly with organisations such as ENISA, IFIP, IARIA, and others.

Categories

Our website uses Cookies. By continuing to surf this website, you consent that we will continue using cookies to measure and understand how our web pages are viewed and to improve the way our website works. If you do not agree, you can decide to disable cookies in your web browser as explained in our Privacy Policy